Home » Forums » Ubercart » Support
5 replies [Last post]
Wed, 12/10/2008 - 08:13
Johnny van de Laar
Johnny van de Laar's picture
Offline
Bug Finder
Joined: 12/18/2007
Juice: 70

i just got this mail from Visa that at the end of this year all websites where you can do Visa payments have to be PCI compliant. if I understood everything correct, ubercart now is pci compliant?

for a website where we have credit card payments I started with Ubercart alpha 6 I think. as good maintainers, we are now running 1.6 ofcourse. but there still is a table uc_payment_credit with all kind of creditcard data in it from payments in older ubercart versions.

what should we do with the content in this table? remove it?

Byelex Multimedia B.V.

Top
Wed, 12/10/2008 - 17:55
#1 View page
Ryan
Ryan's picture
Offline
Joined: 08/07/2007
Juice: 15422
Re: Stored credit card details

Just empty it. Even that data is PCI Compliant, b/c it's just encrypted truncated CC data... but it's not being used by UC any more. We left the table for backwards compatibility, but it's safe to truncate it.

Top
Thu, 12/11/2008 - 04:28
#2 View page
Johnny van de Laar
Johnny van de Laar's picture
Offline
Bug Finder
Joined: 12/18/2007
Juice: 70
Ryan wrote:Just empty it.
Ryan wrote:

Just empty it. Even that data is PCI Compliant, b/c it's just encrypted truncated CC data... but it's not being used by UC any more. We left the table for backwards compatibility, but it's safe to truncate it.

well my table doesn't look encrypted as i can see all the cc numbers, cvv numbers, etc. according to the visa pdf it is illegal to store the cvv, so that made me worry a bit Eye-wink (that and the 5k dollar fine that they mention in their pdf if you don't follow the rules)

but i'll truncate the table and be a happy ubercamper again

Byelex Multimedia B.V.

Top
Mon, 12/15/2008 - 12:14
#3 View page
Ryan
Ryan's picture
Offline
Joined: 08/07/2007
Juice: 15422
Re: Ryan wrote:Just empty it.

Yeah, I think encryption was optional for testing at one point in time, and I was encouraged to make it required... to help out people in exactly your situation. Sticking out tongue

Top
Fri, 03/06/2009 - 22:07
#4 View page
JDSaward
JDSaward's picture
Offline
Joined: 10/21/2007
Juice: 18
PCI compliance

I am just inheriting a site that uses Ubercart and the 'Credit Card' module.

My understanding of the discussion here and elsewhere [eg http://www.ubercart.org/forum/support/7338/visa_payment_application_secu... ], is that Ubercart is claiming to be PCI compliant - except for the possibility of legacy unencrypted details left lying around because of older test practices Sad

I do not find Ubercart on the 'List of Validated Payment Applications' at https://www.pcisecuritystandards.org/security_standards/vpa/. Does that mean that Ubercart is 'compliant' but not 'validated'?

Top
Tue, 03/10/2009 - 16:11
#5 View page
Ryan
Ryan's picture
Offline
Joined: 08/07/2007
Juice: 15422
Re: PCI compliance

If validation means paying for review, then Ubercart isn't validated. However, I've kept the PCI docs handy as I've developed the CC module and can vouch for its compliance. As for what people do with their data... well, I can't really stop them from doing anything, even posting unencrypted credit cards into node bodies. However, the default configuration is compliant, and the documentation indicates where certain configurations might not be PCI compliant. For what it's worth, though, even "legacy details" will never be left unencrypted, and Ubercart cleans CC data out on cron runs in debug mode to prevent that data from sticking around needlessly. Any data that is authorized/captured is always truncated, in accordance w/ PCI standards. In other words... we've got your back.

Top